b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n  Vulnerabilities Highlight the Need for More \n\n     Effective Web Security Management \n\n\n                  (Redacted) \n\n\n\n\n\nOIG-09-101                          September 2009\n\x0c                                                            Office of Inspector General\n\n                                                            U.S. Department of Homeland Security\n                                                            Washington, DC 20528\n\n\n\n\n                                   September 10, 2009\n\n                                         Preface\n\nThe Department of Homeland Security (DHS), Office of Inspector General, was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nThis report addresses the strengths and weaknesses of DHS\xe2\x80\x99 management of its\npublic-facing websites. It is based on interviews with selected officials and contractor\npersonnel, direct observations, technical security vulnerability assessments, and a review\nof applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We\ntrust this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all who contributed to the preparation of this report.\n\n\n\n\n                                     Richard L. Skinner \n\n                                     Inspector General \n\n\x0cTable of Contents/Abbreviations \n\n\n     Executive Summary ....................................................................................................1 \n\n\n     Background .................................................................................................................2 \n\n\n     Results of Audit ..........................................................................................................3 \n\n       Components Adhere to DHS Policy When Configuring Websites ........................3 \n\n       Website Vulnerabilities Could Put DHS Data at Risk............................................4 \n\n       Recommendations...................................................................................................7 \n\n       Management Comments and OIG Analysis ...........................................................7 \n\n       Improved Management Controls Could Improve Website Security.......................8 \n\n       Recommendations.................................................................................................10 \n\n       Management Comments and OIG Analysis .........................................................10 \n\n\nAppendices\n  Appendix A:      Purpose, Scope, and Methodology............................................................12 \n\n  Appendix B:      Management Comments to the Draft Report ............................................14 \n\n  Appendix C:      Major Contributors to this Report .............................................................16 \n\n  Appendix D:      Report Distribution....................................................................................17 \n\n\nAbbreviations\n  CBP             Customs and Border Protection \n\n  CIO             Chief Information Officer \n\n  DHS             Department of Homeland Security \n\n  FEMA            Federal Emergency Management Agency \n\n  FISMA           Federal Information Security Management Act \n\n  FLETC           Federal Law Enforcement Training Center \n\n  HQ              Headquarters          \n\n  ICE             Immigration and Customs Enforcement \n\n  IT              Information Technology            \n\n  NPPD            National Protection and Programs Directorate \n\n  TSA             Transportation Security Administration         \n\n  USCG            United States Coast Guard \n\n  USCIS           United States Citizenship and Immigration Services \n\n  USSS            United States Secret Service \n\n\x0cOIG\n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                    The Department of Homeland Security\xe2\x80\x99s (DHS) public-facing\n                    websites present a highly accessible point of entry and attack to its\n                    information resources. These websites are useful in providing\n                    DHS and the public with access to information and services, but\n                    must be properly configured and maintained in order to protect\n                    sensitive data.\n\n                    We evaluated nine of DHS\xe2\x80\x99 most frequently visited public-facing\n                    websites to determine whether DHS has implemented effective\n                    security controls and practices. We examined the implementation\n                    of DHS\xe2\x80\x99 required configuration settings and patch management\n                    practices. We also performed vulnerability assessments on these\n                    websites. In addition, we reviewed documentation regarding\n                    electronic authentication for web-based access according to the\n                    Federal Information Security Management Act of 2002 (FISMA).\n\n                    Overall, DHS components have followed department policy when\n                    configuring operating systems supporting their websites.\n                    Recommended security settings and controls were implemented\n                    consistently on the servers reviewed. In addition, sites using\n                    electronic authentication for web-based access were properly\n                    documented according to FISMA. However, patch management\n                    practices and periodic security assessments were not consistently\n                    being performed, resulting in numerous critical system\n                    vulnerabilities. These vulnerabilities could put DHS data at risk.\n                    In addition, DHS can make improvements in managing its system\n                    inventory and providing technical oversight and guidance in order\n                    to evaluate the security threats to its public-facing websites.\n\n                    We are making six recommendations to the Chief Information\n                    Officer. DHS management officials concurred with our findings\n                    and recommendations, and we consider them resolved. These\n                    recommendations will remain open until DHS provides\n                    documentation to support that the implementation of all corrective\n                    actions is complete.\n\n\n         Vulnerabilities Highlight the Need for More Effective Web Security Management \n\n\n                                            Page 1 \n\n\x0cBackground\n                  The World Wide Web is a system for exchanging information over\n                  the internet. At the most basic level, a website can be divided into\n                  two principal components: web servers, which are computers that\n                  make information available over the internet (provide hosting\n                  services), and website applications, software used to access and\n                  display the information stored on web servers and support systems.\n                  Both parts require security measures designed to protect their\n                  content.\n\n                  Websites are often the most targeted and attacked hosts on an\n                  organization\xe2\x80\x99s network. As a result, it is essential to secure web\n                  servers and the network infrastructure that supports them.\n                  Effective security management should include the application of\n                  effective controls upon configuration and deployment, as well as\n                  ongoing maintenance through the performance of regular\n                  vulnerability assessments and software updates.\n\n                  DHS has more than 125 websites accessible by the public which\n                  provide component services and communicate emergency data\n                  when needed. These systems are provided as a service to the\n                  public, and their accessibility is key to DHS\xe2\x80\x99 mission, but this\n                  accessibility can also make these sites vulnerable to attack.\n\n                  The department\xe2\x80\x99s websites are supported by a variety of server\n                  operating systems, application software programs, hardware\n                  platforms, and hosting locations, including DHS, other federal\n                  agencies, and contractor facilities. The diversity in software,\n                  hardware, physical locations, and the constantly changing content\n                  of web pages creates a challenging security environment.\n\n                  Appropriate management practices are essential to operating and\n                  maintaining a secure website. Security practices entail the\n                  identification of an organization\xe2\x80\x99s information technology (IT)\n                  assets and the development and implementation of documented\n                  policies, standards, procedures, and guidelines that help to ensure\n                  the confidentiality, integrity, and availability of information system\n                  resources.\n\n\n\n\n       Vulnerabilities Highlight the Need for More Effective Web Security Management\n\n                                          Page 2\n\x0cResults of Audit\nComponents Adhere to DHS Policy When Configuring Websites\n                   Components consistently applied DHS policy in building and\n                   deploying the servers that host their public-facing websites.\n                   Components enforce strong password controls for system\n                   administrators, limit shared accounts, and ensure that all\n                   unnecessary services are disabled. Implementation of these\n                   controls is part of a robust information security program.\n\n                   We reviewed nine of the most frequently visited DHS websites,\n                   based on published monthly statistics for December 2008. These\n                   sites represent the main public information portals of DHS\xe2\x80\x99\n                   components: Customs and Border Protection (CBP), DHS\n                   Headquarters (HQ), Federal Emergency Management Agency\n                   (FEMA), Federal Law Enforcement Training Center (FLETC),\n                   Immigration and Customs Enforcement (ICE), National Protection\n                   and Programs Directorate (NPPD), Transportation Security\n                   Administration (TSA), United States Coast Guard (USCG), and\n                   United States Citizenship and Immigration Services (USCIS). We\n                   evaluated the websites to determine whether security controls\n                   required by DHS\xe2\x80\x99 configuration guides had been implemented.\n                   We tested the websites for technical vulnerabilities and reviewed\n                   supporting FISMA documentation.\n\n                   DHS publishes secure baseline configuration guides to assist\n                   network security personnel in deploying IT systems throughout the\n                   department. These guides outline specific security settings for\n                   operating systems and applications. In addition to the application\n                   of baseline configuration guide settings, some components\n                   regularly test their websites for vulnerabilities.\n\n                   All web servers tested showed evidence of strong password\n                   controls for complexity, reuse, and aging. Web server\n                   administrators limited the use of shared accounts, and employed\n                   best practices in deactivating services that could allow attackers\n                   unauthorized access, such as Telnet and File Transfer Protocol.\n\n                   Component IT security personnel regularly performed these tests\n                   on operating systems, but only a few had the tools or experience\n                   testing web applications for security vulnerabilities. As website\n                   content is updated or changed, existing vulnerabilities may remain\n\n\n\n\n        Vulnerabilities Highlight the Need for More Effective Web Security Management\n\n                                           Page 3\n\x0c                    or new vulnerabilities can be introduced, putting the system and\n                    data at risk.\n\n                    Office of Management and Budget Memorandum M-00-13,\n                    Privacy Policies and Data Collection on Federal Web Sites, limits\n                    the use of tracking cookies; small bits of information collected to\n                    track website use, on government websites. The results of our\n                    vulnerability assessments indicated that all but one of the sites\n                    reviewed disabled the use of tracking cookies.\n\nWebsite Vulnerabilities Could Put DHS Data at Risk\n                    Our review of DHS\xe2\x80\x99 most frequently visited websites identified\n                    vulnerabilities that could put department information resources at\n                    risk. Insufficient security assessments of websites by component\n                    security personnel could jeopardize the confidentiality, integrity,\n                    and availability of data.\n\n                    Significant Vulnerabilities Identified\n\n                    The results of our vulnerability assessments identified\n\n\n\n\n                    Assessment results of web servers showed\n\n\n\n\n                              Figure 1 shows the number of critical and high\n                    vulnerabilities identified by component.\n\n\n\n\n         Vulnerabilities Highlight the Need for More Effective Web Security Management\n\n                                            Page 4\n\x0cFigure 1: Website and Server Vulnerabilities by Component\n\n                         Critical Vulnerabilities            High Vulnerabilities\n     Component                                                                          Total\n                          Web Application                         Server\n\n\n\n\n                      Servers hosting websites for\n\n                                                                                      Our\n                      assessments identified\n\n\n\n\n                      Assessment results for servers hosting the\n\n\n\n\n                      DHS has not effectively managed the security programs of these\n                      websites by\n                                                                          While\n                      components\xe2\x80\x99 have implemented the initial phases of good security\n                      lifecycle practices for their\n\n\n                                                                  Figure 2 shows examples of website\n                      vulnerabilities.\n\n\n\n\n           Vulnerabilities Highlight the Need for More Effective Web Security Management\n\n                                                    Page 5\n\x0cFigure 2: Vulnerabilities of Websites\n\n                                           Vulnerabilities of Websites\n\n\n                            User                                    Web Server         Content\n\n\n\n\n                  Known Exploits\n\n\n                            Cross site scripting\n                                                             Data (Web site content)\n\n\n                                        Defacing\n\n\n\n\n                        Component Website Vulnerability Testing\n\n                        TSA and USCG perform regular vulnerability assessments on their\n                        websites. This practice protects DHS data and websites by\n                        identifying security risks that may be introduced after the initial\n                        development and deployment of the website. In addition, the\n                        websites for FEMA, NPPD, and USCG contained no\n                        vulnerabilities listed as critical or high, and all security patches\n                        were applied. These components\xe2\x80\x99 security practices, through\n                        periodic assessments, patch and update policies, and documented\n                        procedures, set the example of an effective defense-in-depth\n                        approach to good IT systems security.\n\n\n\n\n                                           Components that conduct periodic assessments\n                        and perform scans of updates to websites while still in\n                        development can identify and mitigate vulnerabilities before DHS\n                        data and systems are at risk.\n\n\n\n\n           Vulnerabilities Highlight the Need for More Effective Web Security Management\n\n                                                    Page 6\n\x0c           The SysAdmin, Audit, Network, and Security Institute, known as\n           SANS, annually rates cross site scripting as the highest security\n           risk associated with websites. Every week, hundreds of\n           vulnerabilities are reported and actively exploited in commercially\n           available and open source web applications. SANS identified that\n           web application vulnerabilities account for almost half the total\n           number of vulnerabilities being discovered in the past year.\n\n           DHS Sensitive Systems Policy Directive 4300A establishes that\n           even public information, such as that contained on a website,\n           requires protection against erroneous manipulation or alteration.\n           Components are required to manage their systems to reduce\n           vulnerabilities through testing and promptly installing patches and\n           critical security updates.\n\n           Technical vulnerabilities on department websites expose them to\n           defacing, interruption of services, or loss of resources. Exploits\n           and attacks against websites could compromise the confidentiality,\n           availability, and integrity of department data.\n\n  Recommendations\n  We recommend the Chief Information Officer (CIO):\n\n  Recommendation #1: Require components to perform periodic security\n  vulnerability assessments on their public-facing websites.\n\n  Recommendation #2: Require components to apply security patches\n  promptly to the servers supporting public-facing websites.\n\n  Management Comments and OIG Analysis\n           DHS concurs with recommendation 1. Management responded\n           that they will have the DHS Security Operations Center (SOC)\n           identify the applications supporting these sites as critical; and track\n           the action for vulnerability scanning each quarter. In addition, the\n           Office of the Chief Information Officer (OCIO) in cooperation\n           with components, will work to develop a plan of action to move\n           these sites to the Enterprise Data Center with the Trusted Internet\n           Connection in order to provide consistent control and security\n           monitoring.\n\n           We agree the steps that DHS is taking, and plans to take, begin to\n           satisfy this recommendation. We consider this recommendation\n           resolved and it will remain open until DHS provides\n\n\nVulnerabilities Highlight the Need for More Effective Web Security Management\n\n                                   Page 7\n\x0c                   documentation to support that all planned corrective actions are\n                   completed.\n\n                   DHS concurs with recommendation 2. DHS plans for the SOC to\n                   establish tracking of critical security patches specific to these sites\n                   by April 2010.\n\n                   We agree the steps that DHS is taking, and plans to take, begin to\n                   satisfy this recommendation. We consider this recommendation\n                   resolved and it will remain open until DHS provides\n                   documentation to support that all planned corrective actions are\n                   completed.\n\nImproved Management Controls Could Improve Website Security\n\n                   DHS management could improve website security through\n                   guidance focused on specific threats, and by maintaining an\n                   inventory of its public-facing websites. Current DHS guidance\n                   does not identify the need for constant security maintenance of\n                   websites. As DHS websites are updated with current data, some\n                   content may contain security flaws, risking DHS data and services.\n\n                   Furthermore, DHS management does not have an inventory of its\n                   public-facing websites. While most components had knowledge of\n                   their own websites, DHS does not track which are inventoried\n                   under a general support system or major application. Detailed\n                   guidance and improved oversight could protect DHS websites from\n                   risk of service interruption and data loss.\n\n                   DHS policy does not adequately address the risks associated with\n                   or the need for specialized security programs for its 125+\n                   public-facing websites. Websites and their support systems face\n                   specific threats which need to be addressed beyond the current IT\n                   security practices. The current policy, which only mandates\n                   security assessments annually, does not clearly describe\n                   requirements to assess risks associated with constantly changing\n                   web content or the diverse manner in which sites are hosted.\n\n                   Websites are designed to deliver information to the public as a\n                   service and some DHS sites are updated on a weekly basis. We\n                   identified sites that were updated as often as three times weekly,\n                   with content that had never undergone a security review. These\n                   updates constitute new code that could contain vulnerabilities, such\n                   as cross site scripting and Structured Query Language injection,\n                   and nullify any previous assessment. Any content change to a\n\n\n        Vulnerabilities Highlight the Need for More Effective Web Security Management\n\n                                           Page 8\n\x0c           website could broaden its attack surface, and create a new\n           opportunity for malicious activity.\n\n           The availability of a website inventory, or an ability to identify\n           systems\xe2\x80\x99 public-facing elements, would assist DHS in managing\n           and securing one of the most targeted and attacked hosts on\n           organizations\xe2\x80\x99 networks. An inventory should list those\n           responsible and accountable for website security, as well as assist\n           in identifying accreditation status of legacy systems. CBP\xe2\x80\x99s\n           website was not certified or accredited, although it was one of the\n           top five visited sites in DHS. It was not inventoried under a\n           general support system or major application. The main public web\n           site for USSS is still hosted by the Treasury Department. While\n           this site and its security are managed by Treasury, no formal\n           agreement between DHS and Treasury was in place to ensure its\n           protection.\n\n           DHS Sensitive Systems Policy Directive 4300A establishes that\n           leadership must assess risk and ensure the security of each system\n           throughout its lifecycle. DHS components must conduct risk\n           assessments whenever significant changes to the system\n           configuration or to the operational/threat environment occur.\n           Public-facing websites whose attack surfaces could be broadened\n           by frequent content changes fit this definition.\n\n           All web content updates should be scanned by security software\n           for exploitable vulnerabilities; existing websites should be scanned\n           frequently to identify risks. Current DHS policy establishes that\n           systems should be assessed annually for security vulnerabilities,\n           but in the case of constantly changing public-facing websites, this\n           is not enough. Changes to websites are not identified within the\n           policy as being a significant change that would require a new risk\n           or security vulnerability assessment.\n\n           The rapid growth of the popularity and number of DHS websites\n           highlights the need to address specific threats with more effective\n           web security management. DHS information security practices\n           should include more stringent controls for websites. DHS\xe2\x80\x99\n           public-facing websites are at risk from attacks that could include\n           defacing, manipulation, or alteration. Sophisticated attacks on\n           federal websites have proven they can disrupt service and risk the\n           confidentiality, integrity, and availability of services and data.\n\n\n\n\nVulnerabilities Highlight the Need for More Effective Web Security Management\n\n                                   Page 9\n\x0c  Recommendations\n  We recommend the CIO:\n\n  Recommendation #3: Clarify the department\xe2\x80\x99s vulnerability assessment\n  policy and guidelines to address threats specifically associated with its\n  websites.\n\n  Recommendation #4: Develop an inventory of the public-facing website\n  elements of major applications and general support systems.\n\n  Recommendation #5: Direct CBP\xe2\x80\x99s CIO to ensure its public-facing\n  website is certified and accredited.\n\n  Recommendation #6: Direct USSS\xe2\x80\x99 CIO to develop and implement a\n  plan to move its website under DHS\xe2\x80\x99 security program.\n\n  Management Comments and OIG Analysis\n           DHS concurs with recommendation 3. DHS agrees that in order to\n           properly address the threats confronting the public-facing websites,\n           the processes must adhere to those included within the master\n           service agreement. In addition, under the direction of the SOC, all\n           systems will adhere to the guidance as directed through the\n           Information Security Vulnerability Messages.\n\n           We agree the steps that DHS is taking, and plans to take, begin to\n           satisfy this recommendation. We consider this recommendation\n           resolved and it will remain open until DHS provides\n           documentation to support that all planned corrective actions are\n           completed.\n\n           DHS concurs with recommendation 4. The OCIO has agreed to\n           leverage the information in the Department\xe2\x80\x99s Enterprise\n           Architecture and the Trusted Agent FISMA (TAF) database to\n           establish an inventory of public- facing major applications and\n           support systems.\n\n           We agree the steps that DHS is taking, and plans to take, begin to\n           satisfy this recommendation. We consider this recommendation\n           resolved and it will remain open until DHS provides\n\n\nVulnerabilities Highlight the Need for More Effective Web Security Management\n\n                                  Page 10\n\x0c           documentation to support that all planned corrective actions are\n           completed.\n\n           DHS concurs with recommendation 5. As part of the collaboration\n           between OCIO and CBP, DHS has initiated the certification and\n           accreditation process for the www.cbp.gov website in March 2009.\n\n           We agree the steps that DHS is taking, and plans to take, begin to\n           satisfy this recommendation. We consider this recommendation\n           resolved and it will remain open until DHS provides\n           documentation to support that all planned corrective actions are\n           completed.\n\n           DHS concurs with recommendation 6. USSS has established\n           communications with the OCIO to perform this action.\n\n           We agree the steps that DHS is taking, and plans to take, begin to\n           satisfy this recommendation. We consider this recommendation\n           resolved and it will remain open until DHS provides\n           documentation to support that all planned corrective actions are\n           completed.\n\n\n\n\nVulnerabilities Highlight the Need for More Effective Web Security Management\n\n                                  Page 11\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                     The objective of our review was to determine whether DHS has\n                     implemented effective security controls to protect its web servers\n                     and website applications, and has documented electronic\n                     authorization for web-based access in accordance with FISMA.\n                     We interviewed selected personnel at DHS headquarters;\n                     component offices, and contractor sites in Pennsylvania, Maryland,\n                     and Virginia. In addition, we reviewed and evaluated DHS\n                     security policies and procedures, configuration management\n                     practices, and other appropriate documentation.\n\n                     We used\n\n                                                      Upon completion of the\n                     assessments, we provided program officials with the technical\n                     reports detailing the specific vulnerabilities detected and the\n                     actions needed for remediation. The table below shows the\n                     websites and components tested.\n\n                                Website                    Component\n\n                                cbp.gov                        CBP\n\n                          interactive.dhs.gov                DHS HQ\n\n                               fema.gov                       FEMA\n\n                                fletc.gov                     FLETC\n\n                                ice.gov                         ICE\n\n                              us-cert.gov                     NPPD\n\n                       twicprogram.tsa.dhs.gov                 TSA\n\n                                uscg.mil                      USCG\n\n                               uscis.gov                      USCIS\n\n\n                     Note: We did not evaluate the USSS website for technical\n                     vulnerabilities, as it is hosted by the Treasury.\n\n                     We conducted this performance audit between November 2008 and\n                     April 2009 according to generally accepted government auditing\n                     standards. Those standards require that we plan and perform the\n                     audit to obtain sufficient, appropriate evidence to provide a\n                     reasonable basis for our findings and conclusions based on our\n\n\n          Vulnerabilities Highlight the Need for More Effective Web Security Management\n\n                                            Page 12\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                     audit objectives. We believe that the evidence obtained provides a \n\n                     reasonable basis for our findings and conclusions based on our \n\n                     audit objectives. Major OIG contributors to the audit are identified \n\n                     in Appendix C. \n\n\n                     The principal OIG points of contact for the evaluation are \n\n                     Frank Deffer, Assistant Inspector General, Office of Information \n\n                     Technology, at (202) 254-4041 and Edward G. Coleman, Director, \n\n                     Information Security Audit Division, at (202) 254-5444. \n\n\n\n\n\n          Vulnerabilities Highlight the Need for More Effective Web Security Management\n\n                                            Page 13\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n          Vulnerabilities Highlight the Need for More Effective Web Security Management \n\n\n                                             Page 14 \n\n\x0cAppendix B\nManagement Comments\n\n\n\n\n         Vulnerabilities Highlight the Need for More Effective Web Security Management \n\n\n                                            Page 15 \n\n\x0cAppendix C\nMajor Contributors to this Report\n\n                      Information Security Audit Division\n\n                      Edward Coleman, Director\n                      Mike Horton, IT Officer\n                      Barbara Bartuska, Audit Manager\n                      Thomas Rohrback, IT Specialist\n                      David Bunning, Program and Management Clerk\n\n                      Advanced Technology Division\n\n                      John Molesky, IT Specialist\n\n                      Robert Durst, Referencer\n\n\n\n\n           Vulnerabilities Highlight the Need for More Effective Web Security Management\n\n                                             Page 16\n\x0cAppendix D\nReport Distribution\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff for Operations\n                      Chief of Staff for Policy\n                      Acting General Counsel\n                      Executive Secretariat\n                      Assistant Secretary for Policy\n                      Assistant Secretary for Office of Public Affairs\n                      Assistant Secretary for Office of Legislative Affairs\n                      CIO\n                      Deputy CIO\n                      Chief Information Security Officer\n                      Director, Compliance and Oversight\n                      Director, GAO/OIG Liaison Office\n                      CIO Audit Liaison\n                      Chief Information Security Officer Audit Manager\n                      CIO, CBP\n                      CIO, FEMA\n                      CIO, FLETC\n                      CIO, ICE\n                      CIO, NPPD\n                      CIO, TSA\n                      CIO, USCG\n                      CIO, USCIS\n                      CIO, USSS\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as\n                      appropriate\n\n\n\n\n           Vulnerabilities Highlight the Need for More Effective Web Security Management \n\n\n                                              Page 17 \n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'